HIPAA Compliant Email

Last updated September 12, 2017. The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This of course includes HIPAA compliant email.

Organizations include Covered Entities (anyone who provides treatment, payment and operations in healthcare) and Business Associates (anyone with access to patient information and provides support in treatment, payment or operations). This also includes making sure you have HIPAA compliant email baked in when it comes to your email service provider.

Even subcontractors, or business associates of business associates, must also be in compliance.

What is HIPAA Compliant Email?

The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.

The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.

In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox.

If you are using a third party to transmit or host PHI, they are required by law to sign a Business Associate Agreement (BAA) with you. The BAA establishes that certain administrative, physical and technical safeguards are in place.

While there’s no certification that makes an email provider achieve HIPAA compliant email status, meeting the requirements set by the HIPAA Privacy & Security Rules is the best place to start, along with strong technical security measures to make sure PHI is protected inbox to inbox.

GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Office 365 product, but not all Office 365 email is created equal.

Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.

This is because normal email was created with the priority on delivering messages, not security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely.

That’s because if the recipient’s email provider doesn’t support TLS, your message will be downgraded and delivered unencrypted in clear text.

Google’s own data shows that only 87% of email sent with Gmail is delivered encrypted.

For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable.

The Easiest Way to Send and Receive HIPAA Compliant Email

Paubox can help you protect your patients’ data while providing it to them in a way that’s easy to access. We are able to do this because we believe in the term ‘seamless encryption.’

This greatly reduces the risk of accidentally sending PHI over email. It can be easy to forget to press an encrypt button before pressing send, or simply not realizing there was PHI in an email that was sent.

For recipients, it can be a hassle to have to login to a portal or go through extra steps just to view a message.

Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal.

Even replies are automatically encrypted.

Paubox also integrates with G Suite, Office 365 and other commercial email providers, so you don’t have to change your email address. If you don’t have a provider yet, Paubox can also host your email address.

Looking for HIPPA Compliant Email?

People often get confused between HIPAA email and HIPPA email. HIPAA is commonly misspelled as HIPPA and it’s easy to mistakenly google for “HIPPA compliant email” or “HIPPA email.” Google however, is smart enough to know the correct spelling and will point you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.